When China’s White-Hat Hackers Go Patriotic

Lorand Laskai is a research associate in Asia studies program at the Council on Foreign Relations. You can follow him @lorandlaskai. 

Only hours after China’s Ministry of Foreign Affairs (MoFA) released the country’s first strategic document on cyberspace on March 1, which outlined the country’s vision for peaceful cooperation in cyberspace, patriotic Chinese hackers took down the website of a South Korean conglomerate at odds with Beijing.

On March 2 at 12:00 p.m. (Korean Standard Time) a distributed denial-of-service (DDoS) attack originating from China targeted the servers of Lotte Group and crashed the company’s website. The site remained inaccessible in all languages for several hours. Beijing has publicly exerted pressure on Lotte Group since December, when the firm agreed to transfer a plot of land to the South Korean military to host the U.S. Terminal High Altitude Area Defense (THAAD) system, a move China strongly opposes. The pressure reached a fever pitch last week as Lotte Group moved closer to signing the agreement, with Chinese authorities targeting Lotte’s businesses in China and state-media calling for a consumer boycott of Lotte’s products.

Shortly after Lotte Group’s website crashed, Huaxia Hacker Alliance, a Chinese hacker collective, took credit for the attack. In a post on Zhihu, which has since been deleted but reposted elsewhere, the leader of Huaxia, who goes by ObedientDog, bragged about his organization’s role and named three collaborators—1937CN, PANDA, and Aqi Dog. 1937CN made headlines in July when the patriotic hacker group compromised the announcement screen system at two Vietnamese airports.

While a MoFA official denied any Chinese government involvement in the attack, China has a long history of conveniently turning its back as patriotic hackers attack foreign targets. These operations sometimes have the government’s implicit support, though hackers often simply follow marching orders from nationalistic state-media, which whips up Chinese anger against external threats. With Beijing posing as the champion ofa peaceful cyberspace, will officials rein in its patriotic hackers?

The answer so far is maybe. Last week, Chinese authorities took down the site of 1937CN, signaling that Beijing might not tolerate patriots that march out of line. However, other actors involved in the attack have not faced punishment: the messaging boards of Huaxia Hacker Alliances are still online, so is a second post in which Obedient Dog uses the attack on Lotte Group to plug that his cybersecurity firm is recruiting. Notably, both Huaixa and Aqi Dog advertise themselves as cybersecurity professionals and white-hat hackers (Huaxia’s motto is “hackers do not do evil, but preserve security”). The background of these participants highlights the blurred lines between offense and defense in cyberspace, and the challenges the Chinese government will face separating the offensive hackers from the cybersecurity professionals.

In another post, without a hint of irony, ObedientDog suggests that other “white-hat hackers” join the patriotic struggle. Generally, white-hats find vulnerabilities in software for the defense and typically do not engage in DDoS attacks or own a network for the lulz. They often view their work as making the internet more secure for all users, regardless of location, and are bound by a professional code to refrain from malicious activity

This definition seems to be lost on many Chinese hackers seeking to serve the public good. In between plugging his own cybersecurity firm, offering advice on how to find a beautiful hacker girlfriends, and fielding technical questions, ObedientDog spends his time on Zhihu ranting about foreign affronts to Chinese pride. And he’s not the only one. Since the 1990s, many Chinese hackers have readily exchanged their white-hats for red-hats 红帽子 whenever they feel their nation is under assault. One of China’s most famous red-hat hackers, Wan Tao, simultaneously ran an IT firm as he hacked foreign targets, including the inboxes of Taiwanese politicians and the White House website. Predictably, Tao never faced repercussions from the Chinese authorities.

Since passing the 2016 Cybersecurity Law, the Chinese government has vowed to upgrade China’s cybersecurity infrastructure; this will require training legions of young talent to defend Chinese networks. By one estimate, China needs over 700,000 experts to meet current cybersecurity needs. Within the last year, the Chinese government and large enterprises have formed a cybersecurity volunteer alliance geared towards young people, underwritten an online drama show about white-hat hackers, and established a youth cybersecurity competition stylized after game shows. Many of these campaigns cast cybersecurity as a public service. At one recent gala for China’s cybersecurity volunteer alliance, the host likened the young hackers to the selfless warriors in the classic martial arts film House of Flying Daggers.

Beijing walks a fine line, as it tries to both energize young hackers with which a messages of public service resonates, but also restrain them from undercutting Beijing’s overall cyber strategy. The shuttering of 1937CN affords Beijing a degree of plausible deniability on the world stage. However, as long as Beijing needs cyber talent to build the country’s cyber capabilities, China will not turn on its patriotic white-hats.